[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Help using ImageStreams, DCs and ImagePullSecrets templates with a GitLab private registry (v3.6)



In short, there are two possible use-cases here.

The first, in which the authorization is performed under the same URL as the pull:

1. IS stays the same, no need to modify anything.
2. Create a secret, eg:
    oc secrets new-dockercfg <secret_name> \
       --docker-server=<server> \
       --docker-username=<username> \
       --docker-password=<password> \
       --docker-email=<email>

3. Re-run the import:
  oc import-image <IS name>


The second, in which authorization is delegated to a different URL:
1. IS stays the same, no need to modify anything.
2. Create a secret as previously.
3. Create a 2nd secret again the authorization url. You can get it by trying to curl the image
   data, eg. curl -v https://<registry address>/v2/<namespace>/<image> in return you should
   see the HTTP/1.1 401 Unauthorized with information where to authenticate, eg:
   WWW-Authenticate: Bearer realm="<auth URL>",service="docker-registry"
   use that auth URL for docker-server when creating the second secret.
4. Re-run import.

Hope that helps,
Maciej





On Thu, Jan 4, 2018 at 2:53 PM, Alan Christie <achristie informaticsmatters com> wrote:
Thanks for your guidance so far Maciej but none of this is working for me. [1] doesn’t really help as I’m past that and, sadly the 1,500 lines and numerous of posts in issue 9584 [2] are exhausting to trawl though and still leave me with an inability to pull from GitLab using an image stream.

Again, I have a working DC/IPS solution. I understand secrets, DCs and IPS but I still cannot get ImageStreams to work. I just get…

Internal error occurred: Get https://registry.gitlab.com/v2/myproject/myimage.manifests/latest: denied: access forbidden. 

I’m just about exhausted.

So, if my setup is:
  • OpenShift 3.6.1
  • An image that's: myproject/myimage:latest
  • A registry that’s: registry.gitlab.com
  • A pull secret that works for DC/IPS - i.e. I can pull the image from the private repo with my DC and the installed secret.
What...
  • would my ImageStream yaml template or json look like?
  • would I need to change in my working DC yaml?
  • if any, are the crucial roles my OC user needs?

On 3 Jan 2018, at 11:03, Maciej Szulik <maszulik redhat com> wrote:

Have a look at [1] which should explain how to connect the IS with the secret. Additionally,
there's [2] which explains problems when auth is delegated to a different uri.

Maciej


On Wed, Jan 3, 2018 at 10:34 AM, Alan Christie <achristie informaticsmatters com> wrote:
Hi all,

I’m successfully using a DeploymentConfig (DC) and an ImagePullSecret (IPS) templates with OpenShift Origin v3.6 to spin-up my application from a container image hosted on a private GitLab registry. But I want the deployment to re-deploy when the GitLab image changes and to do this I believe I need to employ an ImageStream.

I’m, comfortable with each of these objects and have successfully used ImageStreams and DCs with public DockerHub images (that was easy because there are so many examples). But I’m stuck trying to pull an image using an ImageStream from a private GitLab-hosted docker registry.

The IPS seems to belong to the DC, so how do I get my ImageStream to use it? My initial attempts have not been successful. All I get, after a number of attempts at this, is the following error on the ImageScreen console...

        Internal error occurred: Get https://registry.gitlab.com/v2/myproject/myimage/manifests/latest: denied: access forbidden. Timestamp: 2017-12-28T14:27:12Z Error count: 2.

Where “myproject” and “myimage” are my GitLab project and image names.

My working DC/IPS combo looks something like this…

[…]
imagePullSecrets:
- name: gitlab-myproject
containers:
  - image: registry.gitlab.com/myproject/myimage:stable
    name: myimage
[…]

But what would my DC/IPS/ImageStream objects look like?

Thanks in advance.

Alan Christie.


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]